1. 前言

转载请说明原文出处, 尊重他人劳动成果!

源码位置: https://github.com/nicktming/istio
分支: tming-v1.3.6 (基于1.3.6版本)

上一篇文章 [istio源码分析][citadel] citadel之istio_ca 分析了istio_ca的serviceaccount controller 和 自定义签名, 本文将在此基础上继续分析istio_ca提供的一个grpc server 服务.

2. 认证(authenticate)

认证的实现体需要实现以下几个方法:

// security/pkg/server/ca/server.go
type authenticator interface {
    // 认证此client端用户并且返回client端的用户信息
    Authenticate(ctx context.Context) (*authenticate.Caller, error)
    // 返回认证类型
    AuthenticatorType() string
}
// security/pkg/server/ca/authenticate/authenticator.go
type Caller struct {
    // 认证的类型
    AuthSource AuthSource
    // client端的用户信息
    Identities []string
}

authenticator 有三个实现体:
1. KubeJWTAuthenticator (security/pkg/server/ca/authenticate/kube_jwt.go) .
2. IDTokenAuthenticator (security/pkg/server/ca/authenticate/authenticator.go)
3. ClientCertAuthenticator (security/pkg/server/ca/authenticate/authenticator.go)

这里主要分析一下KubeJWTAuthenticator的实现.

2.1 KubeJWTAuthenticator

关于jwt的知识可以参考 https://www.cnblogs.com/cjsblog/p/9277677.html 和 http://www.imooc.com/article/264737?block_id=tuijian_wz .

// security/pkg/server/ca/authenticate/kube_jwt.go
type tokenReviewClient interface {
    // 输入一个Bearer token, 返回{namespace, serviceaccount name}
    ValidateK8sJwt(targetJWT string) ([]string, error)
}
func NewKubeJWTAuthenticator(k8sAPIServerURL, caCertPath, jwtPath, trustDomain string) (*KubeJWTAuthenticator, error) {
    // 访问k8sAPIServerURL的证书
    caCert, err := ioutil.ReadFile(caCertPath)
    ...
    // 客户端用户的信息(jwt token)
    reviewerJWT, err := ioutil.ReadFile(jwtPath)
    ...
    return &KubeJWTAuthenticator{
        client:      tokenreview.NewK8sSvcAcctAuthn(k8sAPIServerURL, caCert, string(reviewerJWT)),
        trustDomain: trustDomain,
    }, nil
}

1. tokenReviewClient是输入一个token, 返回一个字符串数组, 里面信息有namespace 和 serviceaccount name. 它的实现体在security/pkg/k8s/tokenreview/k8sauthn.go.
2. 生成一个KubeJWTAuthenticator对象.

Authenticate 和 AuthenticatorType

// security/pkg/server/ca/authenticate/kube_jwt.go
func (a *KubeJWTAuthenticator) AuthenticatorType() string {
    // KubeJWTAuthenticatorType = "KubeJWTAuthenticator"
    return KubeJWTAuthenticatorType
}
func (a *KubeJWTAuthenticator) Authenticate(ctx context.Context) (*Caller, error) {
    // 从header Bearer里面获得token
    targetJWT, err := extractBearerToken(ctx)
    ...
    // 认证客户端并且得到客户端的信息
    id, err := a.client.ValidateK8sJwt(targetJWT)
    ...
    if len(id) != 2 {
        return nil, fmt.Errorf("failed to parse the JWT. Validation result length is not 2, but %d", len(id))
    }
    callerNamespace := id[0]
    callerServiceAccount := id[1]
    // 返回一个Caller
    return &Caller{
        AuthSource: AuthSourceIDToken,
        // identityTemplate         = "spiffe://%s/ns/%s/sa/%s"
        Identities: []string{fmt.Sprintf(identityTemplate, a.trustDomain, callerNamespace, callerServiceAccount)},
    }, nil
}

1. 从header Bearer里面获得token.
2. 认证客户端并且得到客户端的信息.
3. 利用客户端信息组装成一个Caller返回. 因为在授权(authorize)的时候需要用到客户端的信息.

2.1.1 k8sauthn

func NewK8sSvcAcctAuthn(apiServerAddr string, apiServerCert []byte, callerToken string) *K8sSvcAcctAuthn {
    caCertPool := x509.NewCertPool()
    caCertPool.AppendCertsFromPEM(apiServerCert)
    // 访问k8s api-server的证书
    httpClient := &http.Client{
        Transport: &http.Transport{
            TLSClientConfig: &tls.Config{
                RootCAs: caCertPool,
            },
            MaxIdleConnsPerHost: 100,
        },
    }
    return &K8sSvcAcctAuthn{
        apiServerAddr: apiServerAddr,
        callerToken:   callerToken,
        httpClient:    httpClient,
    }
}

作用: K8sSvcAcctAuthn是负责认证 k8s JWTs.
1. apiServerAddr: the URL of k8s API Server 从上游可知是(https://kubernetes.default.svc/apis/authentication.k8s.io/v1/tokenreviews)
2. apiServerCert: the CA certificate of k8s API Server 是security运行的这个pod中对应路径(/var/run/secrets/kubernetes.io/serviceaccount/ca.crt)的内容.
3. callerToken: the JWT of the caller to authenticate to k8s API server是security运行的这个pod中对应路径(/var/run/secrets/kubernetes.io/serviceaccount/token)的内容.

reviewServiceAccountAtK8sAPIServer

defaultAudience = "istio-ca"
func (authn *K8sSvcAcctAuthn) reviewServiceAccountAtK8sAPIServer(targetToken string) (*http.Response, error) {
    saReq := saValidationRequest{
        APIVersion: "authentication.k8s.io/v1",
        Kind:       "TokenReview",
        Spec: specForSaValidationRequest{
            Token: targetToken,
            Audiences: []string{defaultAudience},
        },
    }
    saReqJSON, err := json.Marshal(saReq)
    ...
    // 构造request
    req, err := http.NewRequest("POST", authn.apiServerAddr, bytes.NewBuffer(saReqJSON))
    ...
    req.Header.Set("Content-Type", "application/json")
    // authn.callerToken是security这个pod的token
    req.Header.Set("Authorization", "Bearer "+authn.callerToken)
    resp, err := authn.httpClient.Do(req)
    ...
    return resp, nil
}

1. targetToken是客户端请求的token信息, 也就是客户端向启动grpc server组件的pod来发请求, 所以saReq中的token是targetToken.
2. authn.callerToken是citadel这个pod的token, 因为是citadel来向api-server发请求, 所以Bearer中需要写citadel这个pod的token.

例子如下: 具体关于TokenReview去研究api-server源码即可.

    // An example SA token:
    // {"alg":"RS256","typ":"JWT"}
    // {"iss":"kubernetes/serviceaccount",
    //  "kubernetes.io/serviceaccount/namespace":"default",
    //  "kubernetes.io/serviceaccount/secret.name":"example-pod-sa-token-h4jqx",
    //  "kubernetes.io/serviceaccount/service-account.name":"example-pod-sa",
    //  "kubernetes.io/serviceaccount/service-account.uid":"ff578a9e-65d3-11e8-aad2-42010a8a001d",
    //  "sub":"system:serviceaccount:default:example-pod-sa"
    //  }

    // An example token review status
    // "status":{
    //   "authenticated":true,
    //   "user":{
    //     "username":"system:serviceaccount:default:example-pod-sa",
    //     "uid":"ff578a9e-65d3-11e8-aad2-42010a8a001d",
    //     "groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"]
    //    }
    // }

ValidateK8sJwt

func (authn *K8sSvcAcctAuthn) ValidateK8sJwt(targetToken string) ([]string, error) {
    // 判断是否TrustworthyJwt
    // SDS requires JWT to be trustworthy (has aud, exp, and mounted to the pod).
    isTrustworthyJwt, err := isTrustworthyJwt(targetToken)
    ...
    // 返回结果
    resp, err := authn.reviewServiceAccountAtK8sAPIServer(targetToken)
    ...
    bodyBytes, err := ioutil.ReadAll(resp.Body)
    ...
    tokenReview := &k8sauth.TokenReview{}
    err = json.Unmarshal(bodyBytes, tokenReview)
    ...
    // "username" is in the form of system:serviceaccount:{namespace}:{service account name}",
    // e.g., "username":"system:serviceaccount:default:example-pod-sa"
    subStrings := strings.Split(tokenReview.Status.User.Username, ":")
    ...
    namespace := subStrings[2]
    saName := subStrings[3]
    return []string{namespace, saName}, nil
}

1. 调用reviewServiceAccountAtK8sAPIServer从api-server返回客户端的认证信息, 也就是说向citadel发请求的客户端的token需要得到k8s的认证.
2. 从tokenReview.Status.User.Username中得到namespace, serviceaccount name返回.

2.2 ClientCertAuthenticator

func (cca *ClientCertAuthenticator) Authenticate(ctx context.Context) (*Caller, error) {
    peer, ok := peer.FromContext(ctx)
    ...
    tlsInfo := peer.AuthInfo.(credentials.TLSInfo)
    chains := tlsInfo.State.VerifiedChains
    ...
    // 从extensions中获得ids
    ids, err := util.ExtractIDs(chains[0][0].Extensions)
    ...
    return &Caller{
        AuthSource: AuthSourceClientCertificate,
        Identities: ids,
    }, nil
}

ClientCertAuthenticator针对的是用x509生成的用户信息.

3. grpc server

// security/cmd/istio_ca/main.go
func runCA() {
    ...
    if opts.grpcPort > 0 {
        ...
        hostnames := append(strings.Split(opts.grpcHosts, ","), fqdn())
        caServer, startErr := caserver.New(ca, opts.maxWorkloadCertTTL, opts.signCACerts, hostnames,
            opts.grpcPort, spiffe.GetTrustDomain(), opts.sdsEnabled)
        ...
        if serverErr := caServer.Run(); serverErr != nil {
            ch <- struct{}{}
            ...
        }
    }
    ...
}
// security/pkg/server/ca/server.go
func New(ca CertificateAuthority, ttl time.Duration, forCA bool,
    hostlist []string, port int, trustDomain string, sdsEnabled bool) (*Server, error) {
    ...
    authenticators := []authenticator{&authenticate.ClientCertAuthenticator{}}
    // Only add k8s jwt authenticator if SDS is enabled.
    if sdsEnabled {
        // 添加一个k8s jwt认证
        authenticator, err := authenticate.NewKubeJWTAuthenticator(k8sAPIServerURL, caCertPath, jwtPath,
            trustDomain)
        if err == nil {
            authenticators = append(authenticators, authenticator)
            log.Info("added K8s JWT authenticator")
        } else {
            log.Warnf("failed to add JWT authenticator: %v", err)
        }
    }
    ...
    server := &Server{
        authenticators: authenticators,
        ...
    }
    return server, nil
}

由于authorize在此版本没有打开, 因此把关于authorize部分的内容都去掉了.
1. 可以看到认证的对象默认有一个ClientCertAuthenticator类型的对象, 如果sdsEnabled = true, 那么就会增加一个KubeJWTAuthenticator类型的对象.

HandleCSR

func (s *Server) HandleCSR(ctx context.Context, request *pb.CsrRequest) (*pb.CsrResponse, error) {
    s.monitoring.CSR.Inc()
    // 认证
    caller := s.authenticate(ctx)
    ...
    // 生成csr
    csr, err := util.ParsePemEncodedCSR(request.CsrPem)
    ...
    _, err = util.ExtractIDs(csr.Extensions)
    ...
    // TODO: Call authorizer. 等待要做的授权
    // 获得签名后的证书
    _, _, certChainBytes, _ := s.ca.GetCAKeyCertBundle().GetAll()
    cert, signErr := s.ca.Sign(
        request.CsrPem, caller.Identities, time.Duration(request.RequestedTtlMinutes)*time.Minute, s.forCA)
    ...
    // 组装response
    response := &pb.CsrResponse{
        IsApproved: true,
        SignedCert: cert,
        CertChain:  certChainBytes,
    }
    ...
    return response, nil
}

作用: 处理请求签名证书的request. 对请求做一些认证, 然后签名并且返回签名后的证书. 如果没有通过, 则返回错误理由.

handlecsr.png